On 9/19/19 4:18 AM, Eneas U de Queiroz wrote:
> WolfSSL added a wolfSSL_X509_check_host function to perform CN
> validation in v3.10.4, depending on the build-time configure options:
> --enable-nginx enables it for all supported versions;
> --enable-opensslextra, since v3.14.2.
>
> If the function is unavailable, then SSL_get_verify_result will be
> called, and 'valid_cert' will be true if that call suceeds and we
> have a peer certificate, just as it happens with openssl. Only
> 'valid_cn' will not be set.
>
> Signed-off-by: Eneas U de Queiroz <cotequei...@gmail.com>
>
> diff --git a/CMakeLists.txt b/CMakeLists.txt
> index 6b3fc8c..86e1b07 100644
> --- a/CMakeLists.txt
> +++ b/CMakeLists.txt
> @@ -21,6 +21,12 @@ ELSEIF(WOLFSSL)
> IF (NOT HAVE_WOLFSSL_SSLSETIORECV)
> ADD_DEFINITIONS(-DNO_WOLFSSL_SSLSETIO_SEND_RECV)
> ENDIF()
> + CHECK_SYMBOL_EXISTS (wolfSSL_X509_check_host
> + "wolfssl/options.h;wolfssl/ssl.h"
> + HAVE_WOLFSSL_X509_CHECK_HOST)
> + IF (NOT HAVE_WOLFSSL_X509_CHECK_HOST)
> + ADD_DEFINITIONS(-DNO_X509_CHECK_HOST)
> + ENDIF()
> ELSE()
> SET(SSL_SRC ustream-io-openssl.c ustream-openssl.c)
> SET(SSL_LIB crypto ssl)
> diff --git a/ustream-openssl.c b/ustream-openssl.c
> index 21abf61..c830618 100644
> --- a/ustream-openssl.c
> +++ b/ustream-openssl.c
> @@ -203,7 +203,7 @@ static void ustream_ssl_error(struct ustream_ssl *us, int
> ret)
> uloop_timeout_set(&us->error_timer, 0);
> }
>
> -#ifndef WOLFSSL_OPENSSL_H_
> +#ifndef NO_X509_CHECK_HOST
>
> static bool ustream_ssl_verify_cn(struct ustream_ssl *us, X509 *cert)
> {
> @@ -212,10 +212,15 @@ static bool ustream_ssl_verify_cn(struct ustream_ssl
> *us, X509 *cert)
> if (!us->peer_cn)
> return false;
>
> +# ifndef WOLFSSL_OPENSSL_H_
> ret = X509_check_host(cert, us->peer_cn, 0,
> X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, NULL);
> +# else
> + ret = wolfSSL_X509_check_host(cert, us->peer_cn, 0, 0, NULL);
> +# endif
> return ret == 1;
> }
>
> +#endif
>
> static void ustream_ssl_verify_cert(struct ustream_ssl *us)
> {
> @@ -235,11 +240,12 @@ static void ustream_ssl_verify_cert(struct ustream_ssl
> *us)
> return;
>
> us->valid_cert = true;
> +#ifndef NO_X509_CHECK_HOST
> us->valid_cn = ustream_ssl_verify_cn(us, cert);
> +#endif
> X509_free(cert);
> }
>
> -#endif
>
> __hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us)
> {
> @@ -252,9 +258,7 @@ __hidden enum ssl_conn_status
> __ustream_ssl_connect(struct ustream_ssl *us)
> r = SSL_connect(ssl);
>
> if (r == 1) {
> -#ifndef WOLFSSL_OPENSSL_H_
> ustream_ssl_verify_cert(us);
> -#endif
> return U_SSL_OK;
> }
I am getting this error message with this patch:
[ 12%] Building C object CMakeFiles/ustream-ssl.dir/ustream-ssl.c.o
In file included from
/home/hauke/openwrt/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-wolfssl/ustream-ssl-2019-08-17-e8f9c22d/ustream-internal.h:27:0,
from
/home/hauke/openwrt/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-wolfssl/ustream-ssl-2019-08-17-e8f9c22d/ustream-ssl.c:25:
/home/hauke/openwrt/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-wolfssl/ustream-ssl-2019-08-17-e8f9c22d/ustream-openssl.h:
In function '__ustream_ssl_set_server_name':
/home/hauke/openwrt/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-wolfssl/ustream-ssl-2019-08-17-e8f9c22d/ustream-openssl.h:48:2:
error: implicit declaration of function 'SSL_set_tlsext_host_name'; did
you mean 'SSL_set_tlsext_debug_arg'? [-Werror=implicit-function-declaration]
SSL_set_tlsext_host_name(us->ssl, us->server_name);
^~~~~~~~~~~~~~~~~~~~~~~~
SSL_set_tlsext_debug_arg
cc1: all warnings being treated as errors
make[6]: *** [CMakeFiles/ustream-ssl.dir/build.make:63:
CMakeFiles/ustream-ssl.dir/ustream-ssl.c.o] Error 1
and this config:
CONFIG_WOLFSSL_HAS_AES_CCM=y
CONFIG_WOLFSSL_HAS_ARC4=y
CONFIG_WOLFSSL_HAS_CHACHA_POLY=y
CONFIG_WOLFSSL_HAS_DH=y
CONFIG_WOLFSSL_HAS_NO_HW=y
CONFIG_WOLFSSL_HAS_OCSP=y
CONFIG_WOLFSSL_HAS_SESSION_TICKET=y
CONFIG_WOLFSSL_HAS_TLSV10=y
CONFIG_WOLFSSL_HAS_TLSV13=y
CONFIG_WOLFSSL_HAS_WPAS=y
Hauke
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
